Jaa


Sysprep providers.

Some custom application needs to have information related to windows installation as well as needing some information from your custom windows installation. Sysprep providers is a measure through which we can provide the update to the application. typically if you have installed your application on an operating system and then you want to get rid of the application logs that the application has generated so we need assistance to delete those logs via sysprep providers. 

there are three types of sysprep providers:

1. Cleanup: this pass is suggested if you want that the application is used each time sysprep is run. This pass runs each time when the sysprep executes. 

2. Generalize: This pass should be selected when we are to remove the computer specific information from the installation media. e.g. when we have to get rid of the customization done in IE etc. this provider is run                                 each time when the /generalize switch is utilized with sysprep. 

3. Specialize: This Pass is used when you need to put some actions in the sysprep that will reinitialize your application AFTER the machine installation is going on for some time.

Sysprep providers create an entry point which should not expect any command line option and which should return a dword value. ERROR_SUCCESS, if it returns any value other than this; sysprep abort and remaining process will not complete. 

Registering  Sysprep provider:

Entry point is a function that the people must install on the application and then register with Sysprep providers, for this they need to create the functions and then add the following registry keys. 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SysPrepExternal\ <configuration_pass> \ <GUID>

Now having said that there are some inbuilt providers as well that are executed each time when a specific function is being called. the registry key is same as the above but the the path will only be Sysprep in above in place of SysprepExternal. 

lets have a look at the normal sysprep run when we have specified a generalized switch, Log file while running a sysprep is kept at  C:\Windows\System32\sysprep\Panther and it is very well going to tell you that. 

2015-01-25 01:58:56, Info SYSPRP ========================================================
2015-01-25 01:58:56, Info SYSPRP === Beginning of a new sysprep run ===
2015-01-25 01:58:56, Info SYSPRP ========================================================
2015-01-25 01:58:56, Info [0x0f004d] SYSPRP The time is now 2015-01-25 01:58:56
2015-01-25 01:58:56, Info [0x0f004e] SYSPRP Initialized SysPrep log at C:\Windows\System32\sysprep\Panther

Permission of user is checked, 

2015-01-25 01:58:56, Info [0x0f0054] SYSPRP ValidateUser:User has required privileges to sysprep machine

It validates that all the command lines specified by the machines are actually the valid once, 

2015-01-25 01:58:56, Info [0x0f005f] SYSPRP ParseCommands:Found supported command line option 'GENERALIZE'
2015-01-25 01:58:56, Info [0x0f005f] SYSPRP ParseCommands:Found supported command line option 'AUDIT'
2015-01-25 01:58:56, Info [0x0f005f] SYSPRP ParseCommands:Found supported command line option 'UNATTEND'
2015-01-25 01:58:56, Info [0x0f005f] SYSPRP ParseCommands:Found supported command line option 'REBOOT'

Since we have explicitly provided an answer file called as test.xml while calling sysprep, it will validate if the header structure of the Sysprep is good.

2015-01-25 01:58:56, Info [sysprep.exe] UnattendFindAnswerFile: Looking at explicitly provided unattend file [test.xml]...
2015-01-25 01:58:56, Info [sysprep.exe] UnattendFindAnswerFile: [test.xml] meets criteria for an explicitly provided unattend file.

this is an important piece, it confirms that test.xml has been selected as the 'official' answer file. 

2015-01-25 01:58:56, Info SYSPRP SysprepSearchForUnattend: Using unattend file at [test.xml].

Once this answerfile is selected, it is cached inside %windir%\panther folder and is named as unattend.xml. As a security, possibly you may want to delete your cached answer file after installation is complete. Morw info can be found here: https://technet.microsoft.com/en-us/library/hh825023.aspx

2015-01-25 01:58:57, Info SYSPRP WinMain:Found unattend file at [test.xml]; caching...
2015-01-25 01:58:57, Info SYSPRP WinMain:Processing unattend file's 'generalize' pass...
2015-01-25 01:58:57, Info SYSPRP Sysprep is running a generalize pass with the following unattend file: [%windir%\panther\unattend.xml]

Sysprep starts executing the Action queue, 

[sysprep.exe] [Action Queue] : GenerateActionQueue begin
2015-01-25 01:58:58, Info [sysprep.exe] [Action Queue] : Processing pass = generalize ----> suggest we are now generalizing. 

At this time servicing stack is also initialized. 

2015-01-25 01:58:58, Info [sysprep.exe] [Action Queue] : Using component order file C:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7600.16385_none_655452efe0fb810b\GlobalInstallOrder.xml
2015-01-25 01:58:58, Info CSI 00000001@2015/1/25:09:58:58.125 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7fef198e9a1 @0x7fefa020930 @0x7fefa01fa00 @0x7fefa01f805 @0xff49089c @0xff490158)

2015-01-25 01:58:58, Info [sysprep.exe] [Action Queue] : Found manifest file C:\windows\Winsxs\Manifests\amd64_microsoft-windows-security-licensing-slc_31bf3856ad364e35_6.1.7600.16385_none_aa6c6f211337016f.manifest

2015-01-25 01:58:58, Info [sysprep.exe] [Action Queue] : GenerateActionQueue finish (hr = 0x0)
2015-01-25 01:58:58, Info [sysprep.exe] [Action Queue] : ProcessActionQueue start
2015-01-25 01:58:58, Info [sysprep.exe] [Action Queue] : ProcessActionQueue using queue file C:\windows\panther\actionqueue\generalize.uaq----> this does not have any action listed so it succeeds. 
2015-01-25 01:58:58, Info [sysprep.exe] [Action Queue] : ProcessActionQueue finish (hr = 0x0)

Sysprep now looks for any enternal providers that are configured on this machine prior to running sysprep, as there are none in our case, it simply bypasses it. 

2015-01-25 01:59:10, Info [0x0f00ac] SYSPRP WinMain:Processing 'cleanup' external provider request.
2015-01-25 01:59:10, Info [0x0f006c] SYSPRP RunExternalDlls:Running DLLs listed in registry for phase 3
2015-01-25 01:59:10, Info [0x0f008a] SYSPRP RunRegistryDlls:Retrieved section name for this phase as Cleanup
2015-01-25 01:59:10, Warning [0x0f008f] SYSPRP RunRegistryDlls:Registry key is either empty or malformed: SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SysPrepExternal\Cleanup

Now inbuilt providers are called and they start cleaning up the system image, typically removing scheduled task,  and MUILangcleanup. after reading from registries..

2015-01-25 01:59:10, Info [0x0f0080] SYSPRP LaunchDll:Found 'C:\Windows\System32\spopk.dll,Sysprep_Clean_Opk'; executing it
2015-01-25 01:59:10, Info [0x0f0081] SYSPRP LaunchDll:Successfully executed 'C:\Windows\System32\spopk.dll,Sysprep_Clean_Opk' without error
2015-01-25 01:59:10, Info [0x0f008b] SYSPRP RunRegistryDlls:Found entrypoint in registry at SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SysPrep\Cleanup\{1e7f4452-a4b4-5a32-d01e-70397b096ced}; will try to launch 'sqmapi.dll,SqmSysprepCleanup'
2015-01-25 01:59:10, Info [0x0f0080] SYSPRP LaunchDll:Found 'sqmapi.dll,SqmSysprepCleanup'; executing it
2015-01-25 01:59:10, Info [0x0f0081] SYSPRP LaunchDll:Successfully executed 'sqmapi.dll,SqmSysprepCleanup' without error
2015-01-25 01:59:10, Info [0x0f008b] SYSPRP RunRegistryDlls:Found entrypoint in registry at SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SysPrep\Cleanup\{2c8a362b-4dc1-38b9-c4d8-ce732ddcc48e}; will try to launch 'C:\Windows\System32\wevtapi.dll,EvtIntSysprepCleanup'

2015-01-25 01:59:12, Info [0x0f0080] SYSPRP LaunchDll:Found 'C:\Windows\System32\LangCleanupSysprepAction.dll,Sysprep_Generalize_MUILangCleanup'; executing it
2015-01-25 01:59:12, Info SYSPRP Sysprep_Generalize_MUILangCleanup Start.

2015-01-25 01:59:13, Info SYSPRP Removing scheduled task for running lpremove.exe and all related data
2015-01-25 01:59:13, Info SYSPRP Removing scheduled task for lpremove.exe succeeed

It then calls cleanupShell and starts deleting all the data in BBOE,

2015-01-25 01:59:13, Info [0x0f008b] SYSPRP RunRegistryDlls:Found entrypoint in registry at SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SysPrep\Cleanup\{03513543-c453-2e4f-3200-c2f12d89732a}; will try to launch 'C:\Windows\System32\shsetup.dll,Sysprep_Cleanup_Shell'
2015-01-25 01:59:13, Info [0x0f0080] SYSPRP LaunchDll:Found 'C:\Windows\System32\shsetup.dll,Sysprep_Cleanup_Shell'; executing it
2015-01-25 01:59:13, Info [shsetup] Sysprep_Cleanup_Shell entered
2015-01-25 01:59:13, Info [shsetup] SHDeleteValue on 'Software\Microsoft\Windows\CurrentVersion\OOBE' + 'SkipMachineOOBE' returned 2
2015-01-25 01:59:13, Info [shsetup] SHDeleteValue on 'Software\Microsoft\Windows\CurrentVersion\OOBE' + 'SkipUserOOBE' returned 2
2015-01-25 01:59:13, Info [shsetup] SHDeleteValue on 'Software\Microsoft\Windows\CurrentVersion\OOBE' + 'HideEULAPage' returned 0
2015-01-25 01:59:13, Info [shsetup] SHDeleteValue on 'Software\Microsoft\Windows\CurrentVersion\OOBE' + 'NetworkLocation' returned 0
2015-01-25 01:59:13, Info [shsetup] SHDeleteValue on 'Software\Microsoft\Windows\CurrentVersion\OOBE' + 'ProtectYourPC' returned 0
2015-01-25 01:59:13, Info [shsetup] SHDeleteValue on 'Software\Microsoft\Windows\CurrentVersion\Setup\OOBE' + 'MediaBootInstall' returned 2

It deletes the user hive and temporary files associated with users, 

2015-01-25 01:59:13, Info [shsetup] SHDeleteKey on 'SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\FirstNetwork' returned 2

2015-01-25 01:59:13, Info [shsetup] SHDeleteValue on 'System\CurrentControlSet\Control\Network\NetworkLocationWizard' + 'HideWizard' returned 2
2015-01-25 01:59:13, Info [shsetup] Deleting temp files for 'S-1-5-18'
2015-01-25 01:59:13, Info [shsetup] SHCreateItemFromParsingName failed on 'C:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent' (0x80070002)
2015-01-25 01:59:13, Info [shsetup] SHCreateItemFromParsingName failed on 'C:\windows\system32\config\systemprofile\AppData\Local\Temp' (0x80070002)
2015-01-25 01:59:13, Info [shsetup] IFileOperation::PerformOperations returned 0x8000ffff
2015-01-25 01:59:13, Info [shsetup] Cleaning up user hive for 'S-1-5-19'

It then generalizes the system PnP drivers by first checking the list from CDDB

015-01-25 01:59:39, Info [0x0f008b] SYSPRP RunRegistryDlls:Found entrypoint in registry at SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SysPrep\Generalize\{d0c365cf-6d23-9db2-b74d-4e1efd035af7}; will try to launch 'C:\Windows\System32\sppnp.dll,Sysprep_Generalize_Pnp'
2015-01-25 01:59:39, Info [0x0f0080] SYSPRP LaunchDll:Found 'C:\Windows\System32\sppnp.dll,Sysprep_Generalize_Pnp'; executing it
2015-01-25 01:59:39, Info SYSPRP SPPNP: Sysprep_Generalize_Pnp: Enter
2015-01-25 01:59:39, Info SYSPRP SPPNP: Retrieving the list of function drivers from the critical device database (CDDB).
2015-01-25 01:59:39, Info SYSPRP SPPNP: Driver i8042prt was retrieved from the CDDB.
2015-01-25 01:59:39, Info SYSPRP SPPNP: Driver Serial was retrieved from the CDDB.
2015-01-25 01:59:39, Info SYSPRP SPPNP: Driver pcmcia was retrieved from the CDDB.
2015-01-25 01:59:39, Info SYSPRP SPPNP: Driver isapnp was retrieved from the CDDB.
2015-01-25 01:59:39, Info SYSPRP SPPNP: Driver nvraid was retrieved from the CDDB.
2015-01-25 01:59:39, Info SYSPRP SPPNP: Driver Parport was retrieved from the CDDB.
2015-01-25 01:59:39, Info SYSPRP SPPNP: Driver fdc was retrieved from the CDDB.

It then set the startup types as default, if it finds something as non default, 

2015-01-25 01:59:39, Info SYSPRP SPPNP: The original start type of service msdsm was 0.
2015-01-25 01:59:39, Info SYSPRP SPPNP: The driver msdsm has been enabled.

2015-01-25 01:59:39, Info SYSPRP SPPNP: Finished retrieving the list of function drivers from the CDDB.
2015-01-25 01:59:39, Info SYSPRP SPPNP: Enabling the function drivers listed in the critical device database (CDDB) ...
2015-01-25 01:59:39, Warning SYSPRP SPPNP: The original start type of service vhdmp was not found in its expected back-up location. Hence we will not be re-enabling this service. This is not necessarily an error.
2015-01-25 01:59:39, Warning SYSPRP SPPNP: The original start type of service VMBusHID was not found in its expected back-up location. Hence we will not be re-enabling this service. This is not necessarily an error.
2015-01-25 01:59:39, Info SYSPRP SPPNP: Service storvsc is currently not disabled. Hence there is no need to re-enable it.

It then uninstalls all the devices, 

2015-01-25 02:00:10, Info SYSPRP SPPNP: Uninstalling all existing devices <full generalize>.

we can get occasional errors like this below

2015-01-25 02:00:11, Info SYSPRP SPPNP: Skipping uninstall of root enumerated device ROOT\COMPOSITEBUS\0000.
2015-01-25 02:00:13, Info SYSPRP SPPNP: Skipping uninstall of root enumerated device ROOT\MS_L2TPMINIPORT\0000.
2015-01-25 02:00:15, Info SYSPRP SPPNP: Uninstalling device SW\{EEAB7790-C514-11D1-B42B-00805FC1270E}\ASYNCMAC failed with 0x5.

Internal provider also checks if the machine is joined to domain or not, as this machine is in workgroup, no action is needed, 

2015-01-25 02:01:50, Info [0x0f0008] SYSPRP spnet.dll::IsDomainMember:This machine is not joined to a domain
2015-01-25 02:01:50, Info [0x0f000e] SYSPRP spnet.dll::UnjoinNetworkDomain:Not a domain member, nothing to do

Comments

  • Anonymous
    January 26, 2015
    Thanks
    very interesting
  • Anonymous
    June 24, 2016
    Hello, I am trying to find an example implementation of a sysprep provider. I have been searching for a C++ or C# example to base my code on. Do you know where I could find one?Thank you
  • Anonymous
    July 18, 2016
    Very informative indeed.
  • Anonymous
    July 18, 2016
    This is very nicely written piece.